Cinder

The volume action "os-extend" API does not check policy

Bug #1682211 reported by Matt Riedemann
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Cinder
Invalid
Undecided
Unassigned

Bug Description

There is a "volume:extend" policy rule defined in cinder's default policy.json file but that rule is not checked in the actual code for the os-extend volume action API. So if a deployer wants to disable this feature from owners (end users) of the volume, and restrict it to just admins, they can't because the code doesn't enforce it.

This is most likely true for a lot of volume action APIs.

Revision history for this message
Matt Riedemann (mriedem) wrote :

Nevermind I'm wrong, it's checked in the volume API code here:

https://git.openstack.org/cgit/openstack/cinder/tree/cinder/volume/api.py?h=10.0.1#n1271

The name of the method is used to match it to the policy.

Changed in cinder:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.